Automation has a critical role to play when operationalizing the NIST Cybersecurity Framework (CSF). Emerging tools can help organizations embrace the CSF without spending heavily to meet compliance requirements. This will further reduce barriers to deploying the CSF, increasing the number of “native speakers” and continuing a sea change in securing the data and infrastructure of increasingly interconnected organizations.
The CSF offers a seven-step use case that brings the framework itself to life by walking organizations through the steps needed to create or improve their cybersecurity program. Organizations that want to adopt the CSF or improve in its use would benefit from operationalizing these steps:
- Prioritize and Scope: Define system/environment and business mission.
- Orient: Identify assets, regulatory requirements, and overall risk approach.
- Create Current Profile: Assess where security objectives are being achieved.
- Conduct Risk Assessment: Assess risk posture based on current profile.
- Create Target Profile: Identify desired cyber security outcomes.
- Gap Analysis: Compare current profile with the target profile.
- Action Plan: Develop plans to address and prioritize the gaps.
A workflow-enabled system allows organizations to establish and maintain a lifecycle enterprise cyber risk management process. It also provides tools to help automate the collection of validation data needed to demonstrate achievement of security objectives and create a body of evidence that demonstrates a standard of due care. Such a system would also support the elements of the Framework Core, allowing organizations to communicate cyber risk in a consistent manner at all levels of the organization.
The NIST CSF continues to prove its value and acceptance across a broad range of business sectors, soon to include the federal government. It creates a common frame of reference in planning, deploying, and discussing cybersecurity strategies and tactics. It also enables cybersecurity personnel to communicate ideas about cybersecurity to the boardroom in terms of mitigating and managing risk in order to marshal support and gain funding for critical security initiatives.
Key to the efficient deployment of the CSF is automating as many of the processes that underlie the framework as possible. The ability to inherit security controls, collect and manage the right data, and maintain a supporting body of evidence to prove compliance makes the CSF a powerful regimen for assuring cybersecurity and enabling IT risk management across the enterprise.